php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69453 Memory Corruption in phar_parse_tarfile when entry filename starts with null
Submitted: 2015-04-14 22:15 UTC Modified: 2015-05-19 05:33 UTC
From: emmanuel dot law at gmail dot com Assigned: laruence (profile)
Status: Closed Package: PHAR related
PHP Version: 5.6.8 OS: *
Private report: No CVE-ID: 2015-4021
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: emmanuel dot law at gmail dot com
New email:
PHP Version: OS:

 

 [2015-04-14 22:15 UTC] emmanuel dot law at gmail dot com
Description:
------------
This is a single byte memory corruption vulnerability. It is triggered when a tar entry->filename starts with a null byte.

At tar.c:430 entry.filename_len will be set to zero.
if (hdr->name[i] == '\0') {
break;
}
entry.filename_len = i;



This will result in an underflow in the array index at tar.437 :
if (entry.filename[entry.filename_len - 1] == '/') {
entry.filename[entry.filename_len - 1] = '\0';
entry.filename_len--;
}


Since entry.filename is pointing to a heap chunk (zend_mm_block), on a x86 machine, it has the potential to corrupt the heap chunk metadata.

on x64 machine, it has the potential to corrupt 1 byte at the offset entry.filename+0xFFFFFFFF





Test script:
---------------
POC here:
https://www.dropbox.com/s/dg8uit7533e8q8l/POC_1byte_corruption.zip?dl=0

$ ./php POC_FileName_Nullbyte_crash.php

Segmentation fault

Actual result:
--------------


gdb-peda$ frame
#0  phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56,
    alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437
437                             if (entry.filename[entry.filename_len - 1] == '/') {
gdb-peda$ p entry.filename_len
$2 = 0x0
gdb-peda$ p entry.filename_len -1
$3 = 0xffffffff   <<< integer underflow


gdb-peda$ bt
#0  phar_parse_tarfile (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar", fname_len=0x56,
    alias=0x0, alias_len=0x0, pphar=0x7fffffffa760, is_data=0x0, compression=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:437
#1  0x00000000006339d2 in phar_open_from_fp (fp=0x7ffff7fbdfe0, fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar",
    fname_len=0x56, alias=0x0, alias_len=0x0, options=0x8, pphar=0x7fffffffa760, is_data=0x0, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1709
#2  0x00000000006326f4 in phar_create_or_parse_filename (fname=0x7ffff7fbeb20 "/home/elaw/php-5.6.7/sapi/cli/PHAR_TAR_GZ_FUZZING/WIP_POC__null_byte_filename.tar.phar",
    fname_len=0x56, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8, pphar=0x7fffffffa760, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1346
#3  0x0000000000612018 in phar_open_or_create_tar (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0, options=0x8,
    pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/tar.c:130
#4  0x00000000006325d3 in phar_open_or_create_filename (fname=0x7ffff7fbe688 "WIP_POC__null_byte_filename.tar.phar", fname_len=0x24, alias=0x0, alias_len=0x0, is_data=0x0,
    options=0x8, pphar=0x7fffffffa878, error=0x7fffffffa8b8) at /home/elaw/php-5.6.8RC1/ext/phar/phar.c:1312
#5  0x000000000063e438 in zim_Phar___construct (ht=0x2, return_value=0x7ffff7fbc350, return_value_ptr=0x7ffff7f854d0, this_ptr=0x7ffff7fbc440, return_value_used=0x0)
    at /home/elaw/php-5.6.8RC1/ext/phar/phar_object.c:1189

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
-PHP Version: 5.6.8RC1 +PHP Version: 5.6.8
 [2015-04-29 11:00 UTC] emmanuel dot law at gmail dot com
Hi,
any update/verification on this? The latest version of PHP is still affected.
 [2015-05-12 19:40 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74
Log: Fix bug #69453 - don't try to cut empty string
 [2015-05-12 19:40 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-05-12 22:58 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74
Log: Fix bug #69453 - don't try to cut empty string
 [2015-05-13 10:53 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2c1e49075ba48d93439a9e79eae43d9f8469b832
Log: Fix bug #69453 - don't try to cut empty string
 [2015-05-19 05:33 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence -CVE-ID: +CVE-ID: 2015-4021
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 16:01:29 2024 UTC